[Dnsmasq-discuss] DNSMasq, DHCP, Shorewall, and Proxy Arp

richardvoigt at gmail.com richardvoigt at gmail.com
Mon Feb 4 13:41:35 GMT 2008

On Feb 4, 2008 8:02 AM, Steve H. <steve at csquaredtech.com> wrote:
> On Sunday 03 February 2008 03:21:41 am rune.kock at gmail.com wrote:
> > > > What if the netmask for the interface on the DNSMasq box/gateway was
> > > > expanded to include all addresses?  I guess that could mess up your
> > > > global routing.
> >
> > I think you could fix the routing table manually, and then it would work.
> >
> Hmm - playing even more tricks with the networking doesn't strike me as a good
> idea.  Ideally, what I'd like is a 'do what I say' switch for DNSMasq - to
> get it to skip that step of validation.  Given that the user has to
> explicitly create a dhcp-range and then a dhcp-host entry, it should probably
> be a case of "do what the user says, even if its dumb" :-)

You haven't done anything different in the dnsmasq configuration from
someone using relay agents, which is by far the more common scenario,
and which requires that same validation.

> > > What I don't understand is  why DNSMasq is confused.
> >
> > I guess it's because it also has to handle the cases when it has to
> > serve different dhcp-ranges to different interfaces.  So it checks
> > that the dhcp range matches the ip of the interface.  Normally a very
> > good idea.
> >
> Networking isn't my strong point, but I'd say that with bridging, vlans,
> proxyarp, nat, etc - you really can't tell whats 'expected' on an interface
> from looking at its i.p. any more...

None of those methods would cause the IP address of arriving packets
on a logical interface to be anything except in a subnet containing an
address configured on that interface.

What you appear to be doing is IP spoofing, and that is quite outside
the realm of what is expected and/or desirable for a robust network.

Most people in your situation (wanting some nodes on internal networks
to not use up public addresses) choose to use static 1:1 NAT, which
dnsmasq, iptables, routing would support out of the box.  You've
already played so many tricks with the routing that it'd hard to see
how you're going to make things work without either more and more
tricks, or else ripping up the entire configuration and using a
straightforward, well-supported networking design in its place.

> Anyway, if no-one has a "yes, dnsmasq can do that and here's how" sort of
> thing, I guess I'll look at isc dhcpd.  I'm rather bummed as I've been using
> DNSMasq for years, and its really awesome.  I _love_ the DNS/DHCP
> integration - it makes it much easier to keep track of things when I can just
> do a DNS lookup to find them :-)

I'd be very surprised if isc dhcpd readily supports the IP spoofing
scenario.  Since it has support for relay agents, I expect that it too
would interpret those addresses as intended for relayed requests.

> Steve
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list